STE WILLIAMS

Google’s parent company Alphabet has launched a security company named Chronicle.

The business will be the new home of VirusTotal, which Google acquired in 2012. Chronicle’s other story will be “a new cybersecurity intelligence and analytics platform that we hope can help enterprises better manage and understand their own security-related data.”

Chronicle’s schtick is that security teams drown in multitudes of alerts, but can’t see the significant stuff and therefore can’t spot threats or attacks for ages. The company therefore plans to throw the cloud and machine at the problem, giving users more storage than they can run on-premises and algorithmic assistance to mine all that data to figure out what bad actors are up to.

Chronicle’s not said much about how it will deliver, other than to say it plans to use “Massive compute and storage” to and to deliver its promised insights as cloud services.

The company has also hopped on the “there are too many security vendors” bandwagon, arguing that “The proliferation of data from the dozens of security products that a typical large organization deploys is paradoxically making it harder, not easier, for teams to detect and investigate threats. Chronicle’s not alone with that stance: VMware’s voiced similar sentiments and security experts of The Register’s acquaintance have often said that security vendors selling solutions that address particular problems end up creating overlapping arrays of worthy tools that together make life more complicated.

Whether Chronicle will itself help or hinder remains obscure, as does the exact nature of its service remains . The company has revealed it’s running private Alpha tests, but precious little other detail is available at the time of writing.

One thing that is sure is that the security market is expected to grow, and grow, and grow, as increased interconnectivity gives bad actors more opportunities – and vendors who think they have something to offer reason to launch new products or services. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/alphabet_starts_secutity_business_named_chronicle/

It’s long been known that shipping giant Maersk suffered very badly from 2017’s NotPetya attack.

Now the company’s chair has detailed just how many systems went down: basically all of them.

Speaking on a panel at the World Economic Forum, Møller-Maersk chair Jim Hagemann Snabe detailed the awful toll of the attack as necessitating the reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications”. Or as Snabed described it: “a complete infrastructure.”

“And that was done in a heroic effort over ten days,” he said.

“Normally – I come from the IT industry – you would say that would take six months. I can only thank the employees and partners we had doing that.”

Speaking from about 3:00 in the video below, Snabe said he first got word of the attack in a 4:00 AM phone call.

Youtube Video

He noted that Maersk was “probably collateral damage” in an attack designed by and for a state (the Ukraine was the target: the malware was put in a malicious update to MeDoc, the country’s most popular accounting software).

To recover from the attack, Snabe said the company had to revert to manual systems for the ten-day reinstall.

Given that a Maersk ship docks somewhere in the world every 15 minutes, unloading between 10,000 to 20,000 containers, it’s surprising that Snabe claims the staff managed to revert to manual systems with only “a 20 per cent drop in volumes”.

The chair said people across the organisation just did the work to keep disruptions to a minimum, labeling their efforts “human resilience”.

But he also warned that in the near future, as automation creates near-total reliance on digital systems, human effort won’t be able to help such crises.

Noting that the internet was not designed to support the applications that now rely on it, he said “There is a need for a radical improvement of infrastructure.” He called for “collaboration between companies, technology companies [and] law enforcement” to re-design the digital world.

That effort is a way off. For now Snabe plans to ensure Maersk learns from the “very significant wake-up call” that was the attack and turn its experience into a security stance that represents competitive advantage.

He also called for all businesses to stop being naïve about security, saying organisations of any size – even the mightiest – will experience disruptions if they don’t take security seriously.

Maersk’s own experience is that the attack it endured cost it between $250m and $300m, in line with what the company told a conference call in August 2017.

Maersk wasn’t the only outfit to cop a huge NotPetya bill: pharma giant Merck was also bitten to the tune of $310m, FedEx a similar amount, while WPP and TNT were also hit but didn’t detail their costs. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/after_notpetya_maersk_replaced_everything/

Four Republican members of the US House of Representatives sent letters on Wednesday to the leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft seeking answers about how the embargo on the Meltdown and Spectre bugs was handled.

The secrecy agreement, put in place by these same companies, demanded silence from June 2017, when researchers recognized the seriousness of the processor design flaws, through the planned date of coordinated disclosure on Tuesday, January 9, 2018.

However, unaware of any embargo and after some detective work, The Register broke the news a week early, on January 2, 2018. Google then posted technical details about the flaws on January 3, with Arm following suit with a white paper and mitigation code, and AMD pitching in information.

Chaos ensued as Intel rushed out patches – some of which proved faulty – and tried to reassure customers and stockholders that they would not have to replace most of the CPUs shipped in the past two decades. Meanwhile, operating systems from Windows to macOS to the various Linux distros emitted a range of fixes and mitigations for Meltdown and Spectre over the course of several days.

The dust still hasn’t settled. On Sunday, Linux kernel leader Linus Torvalds fumed that Intel’s approach to mitigating the Spectre flaw is “pure garbage.”

Questions

The four congressional representatives – Greg Walden (R-OR), Gregg Harper (R-MS), Bob Latta (R-OH), and Marsha Blackburn (R-TN) – affiliated with the House Energy and Commerce Committee and various subcommittees, have asked Amazon’s Jeff Bezos, Arm’s Simon Segars, Apple’s Tim Cook, AMD’s Lisa Su, Google’s Sundar Pichai, Intel’s Brian Krzanich, and Microsoft’s Satya Nadella the same questions about how the embargo and disclosure were handled.

The breakdown of the embargo, they note, raises questions about whether it was effective and appropriate, given how companies left out of the agreement were caught off-guard.

“While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the legislators say in their letters, dated Wednesday.

Cybersecurity, they insist, has become a collective responsibility that extends beyond the information technology community to include energy, healthcare, manufacturing, and other sectors.

“This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general,” the letters conclude.

Intel, which is already facing several lawsuits over the vulnerabilities and reports its Q4 2017 earnings tomorrow, is apparently thrilled.

“The security of our customers and their data is critical to us,” a spokesperson told The Register via email. “We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues. In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting.”

Meanwhile, Google meanwhile insists it behaved in accordance with established practices. “After working with security teams across the industry for months, we released our findings according to established principles of vulnerability disclosure, and deployed mitigations to help secure people’s information on Google and other platforms,” a spokesperson told The Register via email.

Lawmakers are seeking similar answers from the US government itself, which has been criticized for opaque and inconsistent handling of vulnerabilities. The House of Representatives earlier this month approved the “Cyber Vulnerability Disclosure Reporting Act,” to ensure that the Department of Homeland Security tells elected officials about its policies and procedures for bug reporting. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/house_reps_intel_meltdown_spectre/

The advent of mobile point-of-sale (MPOS) systems has been a boon for consumers and retailers of modest means, but the Payment Card Industry Security Standards Council’s security wonks worried that they can’t adhere to the strict hardware standards that merchants’ credit card merchant terminals.

Hence the announcement [PDF] of a new standard that aims to advise merchants on how they can let you pay with a PIN on a mobile device without letting crims steal creds.

The standard’s four key principles are that a service has to be actively monitored, in case a device like a phone or tablet is compromised; the PIN has to be isolated from other account data; ensuring the “software and integrity of the PIN entry application” on common off-the-shelf (COTS) devices; and protecting both PIN and account data “using a PCI approved Secure Card Reader-PIN (SCRP).”

As the PCI SSC’s Troy Leach explains in this blog post, the aim is to “mitigate risks associated with a software-centric solution”.

The all-important isolation of account data from the PIN, Leach said, “happens as the Primary Account Number (PAN) is never entered on the mobile device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as a Secure Card Reader for PIN (SCRP) that encrypts the contact or contactless transaction.”

Back-end security controls include “attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” Leach said.

As well as security requirements, which apply to companies providing the payment solutions, the standard includes a test requirements document. Leach said the test requirements, which will be published in February, “create validation mechanisms for payment security laboratories to evaluate the security of a solution”.

As devices pass the Council’s testing, they’ll be listed on its Web site. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/mobile_pos_gets_pci_security_standard/

If you use libcurl, the command line tool and library for transferring data with URLs, get ready to patch. The tool has a pair of problems, one of which is an authentication leak.

This advisory says the library can leak authentication data to third parties because of how it handles custom headers in HTTP requests.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value”, the advisory states.

Applications that pass on custom authorisation headers could therefore leak credentials or “data that could allow others to impersonate the libcurl-using client’s request”.

CVE-2018-1000007 has been present since “before curl 6.0”, the advisory states – meaning it goes back to before September 1999: Indeed, the advisory ‘fesses up that “It existed in the first commit we have recorded in the project”.

Users need to upgrade to curl 7.58.0, and there’s a warning of a change of behaviour to close the bug. If you need to pass a header to other hosts, curl needs a specific permission to do so, using a --location-trusted flag.

The second issue, CVE-2018-1000005, is described as an “HTTP/2 trailer out-of-bounds read”. The advisory says “reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.”

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.”

The second bug only exists in libcurl versions between 7.49.0 to 7.57.0. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/25/curl_carried_auth_leak_bug_practically_forever/

Updated If you’ve built a Windows application on Electron, check to see if it’s subject to a just-announced remote code execution vulnerability.

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters.

Slack users should update to version 3.0.3 or better, and the latest version of Skype for Windows is protected, Microsoft told Cyberscoop.

Electron has only published limited details of CVE-2018-1000006, but it affects Windows applications that use custom protocol handlers in the framework.

Here’s what the advisory has to say:

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

A ray of sunshine to close: “macOS and Linux are not vulnerable to this issue”, Electron’s developers said.

The advisory doesn’t give any indication how many apps make themselves the default protocol handler.

Electron has pushed out two patched versions: 1.8.2-beta.4, 1.7.11, and 1.6.16, and: “If for some reason you are unable to upgrade your Electron version, you can append — as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options.” ®

Update: Signal has posted to Skype that it’s not affected.

Signal does not register any custom protocol handlers and is not affected by this vulnerability.

— Signal (@signalapp) January 24, 2018

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/24/skype_signal_slack_nherit_electron_vuln/

Executives at Bell Canada have been left with faces redder than their nation’s flag – after their subscriber database was hacked for the second time in eight months.

In May 2017, 1.9 million customer records were stolen from Canada’s largest telco after its anti-hacking defenses failed. Now the biz has admitted miscreants have struck again and made off with the personal information of 100,000 punters.

“We apologize to our customers and are contacting all those affected,” spokesman Mark Langton told the Globe and Mail. “There is an active Royal Canadian Mounted Police investigation of the incident and Bell has notified appropriate government agencies including the Office of the Privacy Commissioner.”

Langton said the attackers got away with the names and email addresses of subscribers, along with some phone numbers, and account user names and numbers. It does not appear, at this point, that credit card data was nicked, but investigations are continuing.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the Office of the Privacy Commissioner’s spokeswoman Tobi Cohen.

Given Bell’s preeminent position in Canada, and the fact that it’s pulling in over CAN$5bn a quarter, you’d think that that some money could be invested in security. It seems not. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/24/bell_canada_security_hack/